Start Here - Excel

Document Sample
Start Here - Excel Powered By Docstoc
					BENCHMARKER
How do does your organisation or project currently rate against recommended practice for ERM, ISO 31000 and beyond? And rate against others?
Use Benchmarker as a risk benchmark and gap-analysis tool and presentation to help you become RiskSmart. It uses over 70 qualitative questions ordered into ten themed modules.
Here's how (assuming you know the basics of using a spreadsheet in .xls format):
              Step 1: Read this page and follow the instructions
              Step 2: Read how to score each question by referring below to "How To Score"
              Step 3: Research. Use the worksheet called "Questionnaire" to gather input from appropriate sources e.g. desk-top, team workshops, Delphi subject-matter experts, etc.
              Step 4: Summarise these inputs as your own notes in columns C & G and customise (NB: the existing questionnaire content is meant as a sample only)
              Step 5: Input an appropriate score in Column E. Up will pop the 'gap' score in the next cell.
              Step 6: Check the worksheet called "Data Summary" is correct. Print off.
              Step 7: Check that each consecutive graphics chart for the ten modules (worksheets called "C1", "C2" etc ) are correct. Print off.
              Step 8: Open up the already filled worksheet called "Dashboard". Check the numbers are correct. Customise the look. Use as a one-page presentation. Print off.
              Step 9: Get an idea of how you may rate against other companies by checking the pattern of scoring for the green-shaded maturity question cells
             Step 10: Future: send any improvements or global practice changes to domenic.antonucci@gmail.com and watch our website: http:// www.DAntonucci.com

How to Score in Column E:
1. Not at all - e.g. no evidence of this or not known
2. Partially - e.g. evidence is in-part or being reviewed or still being planned
3. Largely - largely evidenced, formally under development, largely-complete
4. Fully - in full evidence or formally implemented, auditable
Note 1: The score indicates the degree to which each individual criteria comply with recommended practice in terms of both effectiveness and efficiency.
Note 2: Appear in sequential order not implied order of importance and are iterative in nature.
Note 3: Don't be alarmed if you rate less than 50%. Many companies surveyed in my experience rate around 20% if they are young organisations or have young risk functions.
Note 4: The colour of each question box is ordered in rough degree of sophistication and is indicative of the following Deloitte-style risk maturity model scale:

                         Representative attributes of each Stage of Management Maturity (are an adaptation of the Deloitte Model):

                         Maturity level:            Initial             Fragmented          Top Down                Integrated      Risk Intelligent
                         Indicator e.g.:            individuals         silos               action-plans            scenarios       embedded, AWAC, performance links, risk modelling

                         1,541 firms surveyed %:    7.3%                21.3%               22.6%                   16.9%           8.2%                                don't knows: 23.8%



Explanation of what score the dashboard ratings are based on and rationale for future action:
Red Traffic Light if score <25%             Inability to demonstrate adherence to recommended practice. Fundamental need to address this area.
Orange Traffic Light if score 25-49%        Material gap between current practice and recommended practice. Substantial opportunity for improvement.
Yellow Traffic Light if score 50-74%        Some ability to demonstrate adherence to recommended practice. Some opportunity for improvement.
Green Traffic Light if score 75%+           Observed practice consistent with recommended practice. Limited need for further development. Monitor.

Sources for this Gap Analysis: A Synthesis by Domenic Antonucci including but not limited to:
ISO 31000:2009 formerly AS/NZS 4360:2004 enterprise risk management guidelines
Creating a Risk Intelligent Infrastructure Issue No 19 2010 and other publications by Deloitte, "Big 4" audit and consulting firm
Marsh Business Risk Management Model 2009 by Marsh Risk Consulting, the largest global specialty risk consulting firm, a model synthesising COSO, Basel II, Sarbannes-Oxley, etc
A Structured Approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 by IRM Institute of Risk Management, UK, 2010
PMI Risk Management Professional guidelines
IIA's CIA Learning System (Institute of Internal Audit Certified Internal Auditor) guidelines




                                                                                                           Page 1                               Benchmarker Gap Analysis ISO3100 plus Tool Generic 260611.xls
                                                                                                                                    Status @ DDMMYY:               Potential
                                                                                                                                    0 - Not at all, or not known   0 - no gap, up to ...
                                                                                    Benchmark Criteria Evidence of
                  Benchmark Criteria                                                  Recommended Practices.
                                                                                                                                    1 - Partially
                                                                                                                                    2 - Largely
                                                                                                                                                                   3 - criteria absent

                                                                                                                                    3 - Fully

1. Sponsorship and Positioning: The Board of Directors (BoD) and Senior Management collectively recognise its on-going responsibility to
manage risk governance, and demonstrates organisation mandate and commitment.
1.1) The BoD (and top Management) sets the 'tone at the top' and is ultimately   Part. BoD implicitly understands risk as part of
accountable for risk governance, risk oversight and strategic decision-          strategic decision-making and has approved a
making. Can delegate responsibility to management. It directs one common         Corporate Governance Manual. The Corporate
and tailored risk framework to mitigate key risks (e.g. risk management          Governance Manual awaits approval and
policy and procedures) that expresses their commitment to the effective          includes a summary of Risk Management
management of risk. It monitors strategic alignment and sets parameters of       objectives and CRO Role and Responsibilities.
acceptable risk and overall risk expectations.                                   A Board Charter is being drafted. Some risk-
E.g. A formal risk management policy is intended to set out the organization's   related polices are newly in place such as brand
approach to risk. It introduces a common language and understanding of risk,     and communications. All: BoD is very high-level
                                                                                                                                                   1                         2
demonstrates management ownership and endorsement of an approach and             here so yes part of corp. gov, org structure inc
helps ensure that all staff have a sound basis for risk management decision      CRO, active Audit Committee, but not executed
making and application. This policy needs to encompass all forms of risk.        yet
This may include documented procedures to control property, liability,
environment, brand and safety risks, and to protect the security of people,
assets, intellectual property and financial assets.



1.2) A Head of Risk and/or Risk Management Committee (or equivalent)             Part. First new CRO appointed Jul 2010. The
acts as the clearing-house for risks, polices, appetite-setting and governance   Audit Committee plays some of this role. It has
with sign-offs from BoD. It ensures risk management is systemic, structured      recommended a Risk Management Committee
and timely E.g. strategy, vision and mission statements, risk tolerance and      be established but this has not been approved                     2                         1
appetite, and Risk Management targets and objectives linked to business          by BoD to date.
objectives in response to changing internal and external circumstances.

1.3) Organisation roles and responsibilities for risk management are clear       Part via Fin Risk Mgt and CRO.
and tailored to the business processes of the organisation. An individual
member of the BoD or equivalent has specific responsibility for the oversight                                                                      1                         2
of risk management activities. There is transparency between all governing
bodies.
1.4) Risk management activities take account of the different stakeholder        Not directly. Good at project-level, PMC and
interests and perceptions’ of risk.                                              Comms Government Relations. Booz & Co                             1                         2
1.5) The BoD is confident it is delivering two key outcomes:                     Part. BoD is confident the organisation part
                                                                                 interviewed 10 external stakeholders ashas of
a) The organisation has a current, correct and comprehensive understanding       current and part-understanding of its risks. BoD
of its risks, and                                                                Secretary comments: "We have only started                         1                         2
b) It is acting within its risk criteria.                                        the process .. There are so many stakeholders
                                                                                 … we know so little about what we do not know
                                                                                                                                   Status @ DDMMYY:               Potential
                                                                                                                                   0 - Not at all, or not known   0 - no gap, up to ...
                                                                                    Benchmark Criteria Evidence of
                  Benchmark Criteria                                                  Recommended Practices.
                                                                                                                                   1 - Partially
                                                                                                                                   2 - Largely
                                                                                                                                                                  3 - criteria absent

                                                                                                                                   3 - Fully

1.6) The BoD and equivalent sponsors, discusses and actively demonstrates Largely. Risk isManagement collectively recognise its on-going responsibility to
1. Sponsorship and Positioning: The Board of Directors (BoD) and Senior considered at the start of most
manage risk governance, and demonstrates it is part of decision- major capex authorisation or
its commitment to embedding Risk Management so thatorganisation mandate and commitment. organisational
making E.g. communicating the benefits to stakeholders, considered at the       change or key projects and whilst not on the
start of any major capex authorisation or organisational change or key project, formal agenda has been the one consistent
regular agenda item, resourcing the risk investment needs, board meeting        focus of the last four BoD meetings and a key       2                   1
minutes, CEO promoting use of an internal theme-name to the ERM program consideration of key initiatives put to the Board
e.g. Becoming RiskSmart, etc. Such active demonstration galvanises              by the business. Also, BoD is increasingly
management and staff commitment.                                                connecting with the top governmental
                                                                                stakeholders e.g.
                                                                                                             8                10
2. Managing the Risk Management Process: Ensure Risk Management is part of the planning and performance management processes and roles
and responsibilities are clearly defined.
2.1) Executive Management take primary responsibility to design, implement      Some silo-based piecemeal risk assessment
and maintain an effective common risk management and infrastructure             process, control systems and risk mitigation
(People, Process, Technology). This includes the risk assessment process,       strategies. Not always driven at Executive
control systems and risk mitigation strategies. Risk Management is a critical   Management level and limited to design and                        0                         3
function of an organisation's management. It is central to the rational         less on implementation and maintenance.
allocation of resources and the choice of action in the achievement of
objectives.
2.2) Executive Management provide objective business monitoring and           Usually for specialty-risk areas within silos e.g.
assurance of business line managers and staff. Roles and responsibilities for HSE, Security, Legal, Finance Risk
risk management are identified, recognised, continually reviewed and signed-                                                                      1                         2
off by BoD. Correct practices are followed


2.3) A particular group has responsibility to co-ordinate risk management First new CRO appointed Jul 2010. No Risk
and provides a focus (e.g. Risk Management Function/Team/Department).         Management or equivalent Committee.
Often reporting to a dedicated Risk Management Committee (or equivalent) in
charge of risk management activities throughout the company (in addition to
any specific H&S or Environmental Committees formed). They: Develop the
risk management policy and keep it up to date; Document the internal risk                                                                         1                         2
policies and structures; Co-ordinate the risk management (and internal
control) activities; and Compile risk information and prepare reports for the
Board


2.4) Individuals take responsibility for managing risk. Risk rests with those   Rests with some individuals - not always by
individual(s) who are best placed to manage them and information flows          design - in some silos for some activities.
support this (e.g. Risk Champions). Individual employees: Understand,
accept and implement RM processes; Report inefficient, unnecessary or                                                                             1                         2
unworkable controls; Report loss events and near miss incidents; and Co-
operate with management on incident investigations.

2.5) Risk management techniques are consistently applied in strategic,          Some but only within silo units and specialty
business and operational management.                                            risk areas e.g. Finance, H&S.                                     1                         2
                                                                                                                                           Status @ DDMMYY:               Potential
                                                                                                                                           0 - Not at all, or not known   0 - no gap, up to ...
                                                                                              Benchmark Criteria Evidence of
                    Benchmark Criteria                                                          Recommended Practices.
                                                                                                                                           1 - Partially
                                                                                                                                           2 - Largely
                                                                                                                                                                          3 - criteria absent

                                                                                                                                           3 - Fully

1. Sponsorship and Positioning: The aligned with accountability for and Senior by x unit
2.6) Collective ownership of specific risks areBoard of Directors (BoD) Part. Some siloManagement collectively recognise its on-going responsibility to
business delivery through the annual strategy planning process. Business mandate and commitment.
manage risk governance, and demonstrates organisation
Risk Assessments are undertaken as part of the annual planning process.                                                          1                   2

2.7) Clear timescales and milestones are set for risk management within the            Nil.
corporate calendar.                                                                                                                                       0                         3
2.8) Executive and Business Management take ownership of Risk                          Some ownership but no enterprise-wide co-
Management activities which are co-ordinated organisation-wide. It is                  ordination, transparency, independence
transparent and independent from the Audit and Assurance process/functions             (Internal Audit drove the KPMG Risk Register
(e.g. the latter do not influence risk identification and assessment or the            exercise), or business manager consistency.
content of a risk register). Business managers: Build risk aware culture within                                                                           1                         2
the unit; Agree risk management performance targets; and Ensure
implementation of risk improvement recommendations; and Identify and report
changed circumstances / risk.

2.9) Business units and supporting functions take responsibility for risk              Partly by BU silos. CRO too new. Largely by
ownership within their business and are co-ordinated organisation-wide.                small Supporting Functions who take ownership
They execute. Business Units ensure that risks are identified, assessed,               for Legal, Internal Audit, Financial & Insurance,
integrated, mitigated, reported and continually reviewed. Support functions            Security & BU-level HSE. But Security & HSE
support risk by bearing primary responsibility for risks that originate within their   do not have Corporate Functions at all and
field (e.g. finance leads on Sarbannes-Oxley risks). They also share                   hence no co-ordinated enterprise-wide activity.                    1                         2
knowledge, networks, and serve on risk committees or forums. They: Assist              Little inter-facing and sharing or channels to do
the company in establishing specialist risk policies; Develop specialist               so.
contingency and recovery plans; Keep up to date with developments in the
specialist area; and Support investigations of incidents and near misses.


                                                                                                                                                          7                        20
3. Risk Identification: Risks are identified systematically and consistently across the organisation.


 3.1) There is common definition of 'risk' explicitly addressing 'uncertainty'. KPMG-defined risks are largely 'crunchy'.
Refer ISO31000 (2009). Defined risks on registers are 'crunchy' in nature i.e.
fully understand with minimum wording for clarity in order to optimise
mitigation plans. Risk identification addresses both 'uncertainties' to
organisation objectives ('threats or downsides') and 'opportunities' ('upside')                                                                           1                         2
i.e. the risk of NOT pursuing an opportunity. This includes risk not under the
control of the organisation as well as knock-on, cascade or cumulative effects.
                                                                                                                                    Status @ DDMMYY:               Potential
                                                                                                                                    0 - Not at all, or not known   0 - no gap, up to ...
                                                                                          Benchmark Criteria Evidence of
                   Benchmark Criteria                                                       Recommended Practices.
                                                                                                                                    1 - Partially
                                                                                                                                    2 - Largely
                                                                                                                                                                   3 - criteria absent

                                                                                                                                    3 - Fully

1. Sponsorship and assessment methodology is of Directors (BoD) and Senior Management collectively recognise its on-going responsibility to
3.2) The identification andPositioning: The Boardactively driven by the Not actively driven by the business (but by
                                                                                     Internal Audit and their KPMG
manage risk co-ordinated organisation-wide. The organisation mandate and commitment. audit-led
business and isgovernance, and demonstrates mix of
Questionnaires, 1:1 structured interviews, site inspections, assistance and          consultant) and not co-ordinated organisation-
group sessions such as workshops used should be appropriate to the                   wide. The methodology used was not
organisation and 'owned' by the business managers (not Audit). Audit may             appropriate as it was linked to Audit. Audit     1  2
input data and advice to the Risk Co-ordinating Function but stay independent inputs data and advice to the CRO and will stay
of the process creation and content. Consultants may assist with the                 independent of the process creation and
methodology to identify, analyse and evaluate risks but avoid dictating              content in future. Consultant have assisted with
content.                                                                             the methodology to identify, analyse and
3.3) Risk identification is based on the best information available. Statistical evaluate risks. Insurance. Enterprise-wide risks
                                                                                     Part e.g. HSE,
information (e.g. loss statistics, insurance statistics) are included in the         were identified by KPMG and recorded on Risk
identification of risks, in addition to information on types of injury/ locations to Registers By Function/Process but these are
assess causes of incidents and possible damage potential. Financial                  dated, potentially inaccurate (due to            2  1
information (e.g. budgets, performance reports) is included.                         methodology employed), process-orientated
                                                                                     and Inherent (not Residual).

3.4) Functional experts (e.g. auditors, human resources, valuers) are              Largely. Auditors and finance and PMC.
included in business identification of risks.                                                                                                      2                         1

3.5) Considers interactions among multiple risks and their impacts. Not focus Part.
on single risk or event.                                                                                                                           1                         2
3.6) A risk universe is identified and maintained. All potential risks and risk    Part. KPMG did not prepare a Risk Universe but
events identified as applicable to the organization, regardless of likelihood or a Functional Process-level categorisation.                        1                         2
impact.
3.7) Organisation-wide risk identification is an ongoing routine process, as Part in Finance.
new risks emerge due to changes in the internal/ external environment. Every
decision or management action has the effect of in some way changing risks.
To manage risks proactively, it is preferable to routinely identify and measure
risks at the time that the decisions are made. Additionally, it is prudent to                                                                      1                         2
review risks periodically, particularly if there have been changes in the external
or internal environment or if the company has changed its objectives or
strategic focus. All staff are given guidance on the identification and
articulation of risks.

                                                                                                                         9                      12
4. Risk Prioritisation: Prioritise the risks identified in descending order of importance, to focus time and resource on the critical risks first.


4.1) A common Risk Tolerance is defined and updated. Risk Tolerance is             Nil.
the acceptable levels of quantified variation to risk appetite in order to achieve
an objective. It is also known as material risk bearing capacity and must be
quantified. It under-pins the semi-quantitative risk matrix used to assess risk                                                                    0                         3
and is a part of Risk Appetite ( which sets how residual risk to accept when
pursuing mission, strategy and objectives).
                                                                                                                                        Status @ DDMMYY:               Potential
                                                                                                                                        0 - Not at all, or not known   0 - no gap, up to ...
                                                                                           Benchmark Criteria Evidence of
                   Benchmark Criteria                                                        Recommended Practices.
                                                                                                                                        1 - Partially
                                                                                                                                        2 - Largely
                                                                                                                                                                       3 - criteria absent

                                                                                                                                        3 - Fully

1. Sponsorship and on a residual basis. Prioritisation scales take into and Senior Management collectively recognise its on-going responsibility to
4.2) Risks are considered Positioning: The Board of Directors (BoD) KPMG recorded Risk Registers By
manage risk governance, and (or Gross) Risk by the effectiveness of Function/Process but these
account the a discount on the Inherent demonstrates organisation mandate and commitment.are Inherent (not
current controls. Mitigation focus is on the top residual (not inherent) risks. Residual).                                   0                   3

4.3) The Risk Management function reviews all risk registers for quality. It        Nil.
co-ordinates inputs and consolidates all outputs.                                                                                                      0                         3

4.4) Quantification of risks is undertaken as part of the Risk Management           Nil.
function's review of risk registers.                                                                                                                   0                         3
4.5) Risk registers which track risk management activity (at Group, unit,           Largely. Some risk registers exist at PMC, BU
project and other appropriate levels) are aligned and consolidated across the       and Project-levels. Z Unit’s Strategic Issues
organisation. They include “common themes/categories”, individual risks that        Register is a running list which is updated on a
could have a strategic / corporate effect, causes, consequences and existing        regular basis.                                                     2                         1
controls. They cascade both upwards and downwards.

4.6) A common Risk Matrix is defined and updated. A risk matrix is the           Nil
customised and common criteria used to rate and prioritise risks. Clear criteria
scales/thresholds are set for Risk Impact, Risk Likelihood and Effectiveness of
Controls. Criteria can be derived from legal and regulatory requirements and
other requirements to which the organisation subscribes. It equates to a Risk                                                                          0                         3
Appetite statement and guide for managers. Risk Matrix scales are not
considered in isolation and act as a filter to ensure reporting at the most
appropriate levels. Risk Appetite is semi-quantitative and includes tolerance
(which is quantitative).
4.7) Organisation-wide risks are evaluated after identification and analysis and Part. KPMG went some way with common risks.
prioritised within a formalised framework and to a common Risk matrix
                                                                                                                                                       1                         2
applicable across the whole of the organisation.

4.8) The risk assessment process is ongoing and allows the most critical
risks to be prioritised and considered at the BoD level, particularly to allocate                                                                      0                         3
resource.
                                                                                                                                                       3                        21
5. Risk Treatment: Generate and implement risk action plans to treat the risks identified.

5.1) Risk treatment action plans are SMART (Specific, Measurable,                   Some in-part and de-facto. Can be articulated
Attainable, Realistic and Timed) for ease of reporting and monitoring, Each         by some senior managers but are not formally
risk is allocated and driven by a specific individual for auctioning and/or         documented or are too general as in part of                        1                         2
sponsorship via a mini-task force or project team. These are often multi-           other process / regulatory driven activity
functional.
5.2) A cost / benefit analysis is undertaken for the proposed risk treatment        Part - handled on a Project-Silo basis or is non-
against the impact of the risk. Formal or informal. It includes resource            systematic.
requirement or contingencies, performance measures and constraints.                                                                                    1                         2
                                                                                                                           Status @ DDMMYY:               Potential
                                                                                                                           0 - Not at all, or not known   0 - no gap, up to ...
                                                                                          Benchmark Criteria Evidence of
                   Benchmark Criteria                                                       Recommended Practices.
                                                                                                                           1 - Partially
                                                                                                                           2 - Largely
                                                                                                                                                          3 - criteria absent

                                                                                                                           3 - Fully

1. Sponsorship and Positioning: The tracked in Directors (BoD) Part Senior Management collectively recognise its on-going responsibility to
5.3) Current controlsand proposed controls are Board of risk registers       and
manage risk governance, further mitigation (if required). Monitoring
subject to monitoring, review andand demonstrates organisation mandate and commitment.
and reporting can be live, periodic or ad hoc. Details of required risk
responses are recorded, together with arrangements to track risk improvement                                         1                   2
recommendations. Incident reporting procedures are established to facilitate
identification of risk trends, together with risk escalation procedures.


5.4) Risk treatment strategies or control options are consolidated and             Nil.
traceable across the organisation where it is beneficial to do so to achieve
economies of scale and best practice. These may include for Opportunities:                                                                0                         3
Accept, Enhance, Exploit, Share ; and for Threats: Accept, Avoid, Reduce
and Transfer controls options.
5.5) The risk financing strategy is linked into the Action Plans. E.g.             Part.
insurance or self-funding.                                                                                                                1                         2
5.6) Specific Key Risk Indicators (KRI’s) are developed to monitor the             Nil.
actions taken to mitigate risks and act as lead indicators or fore-warning of
future exposure. KRI’s are linked to current KPIs and the overall business                                                                0                         3
objectives.

5.7 Insurance should be informed by the Risk Registers and risk action        Largely.
plans. Insurance Cover limits and cost evaluation should not just rely on
the underwriter's standard policy. The purchase of insurance should be
integrated with the design of the organisation risk management/safety
program and the integration of various risk-related activities with regard to
impact on the total cost of risk . For example re: Project Risk Management ,                                                              2                         1
insurable and non-insurable risk should be typically reviewed at these key
sequential points prior to Handover: Design phase risk review, Construction
Underwriting Report, Project Document Review, Insurance Program design
then procurement then management, and pre-start up Audit.

5.8) Business disruptions and dis-continuity. The organization has a               Part. IT and current ports.
process, policies and procedures for restoring operations critical to the
resumption of business after a natural or human-induced disaster. It tests or
exercises the plans. It includes Disaster Recovery, Emergency Response,
Security and Crisis Management Plans.
A key risk for all companies is that they may be unable to operate as usual
due to an event that either directly disrupts their operations or disrupts the                                                            1                         2
operations of one of their supply chain partners. By fully analyzing this risk,
and preparing suitable plans to deal with the event should it occur, the
impacts of the event can be much reduced. Such plans are also useful to
demonstrate to insurers that business interruption risk and product liability risk
are being effectively controlled.
5.9) Consistently use advice of professionals to make decisions with               Largely.
significant exposure to liability, environment, brand and safety risks.                                                                   2                         1
                                                                                                                                      Status @ DDMMYY:               Potential
                                                                                                                                      0 - Not at all, or not known   0 - no gap, up to ...
                                                                                         Benchmark Criteria Evidence of
                   Benchmark Criteria                                                      Recommended Practices.
                                                                                                                                      1 - Partially
                                                                                                                                      2 - Largely
                                                                                                                                                                     3 - criteria absent

                                                                                                                                      3 - Fully

1. Sponsorship of risk is known and actively managed. For instance          and
5.10) The total costand Positioning: The Board of Directors (BoD) Nil. Senior Management collectively recognise its on-going responsibility to
manage risk linkages between managing the costs of compensating work
there are strong governance, and demonstrates organisation mandate and commitment.
place injury (whether this is insured or self-insured), and preventing and
limiting the effects of such injury. How much an un-insured and unbudgeted
loss the organisation can withstand in one year is periodically estimated.
(Insurance is a suitable method of funding losses that you don't have the                                               0                   3
capacity to fund yourself. Most premiums are, however, expensive. By
formally considering what capacity your organization has to fund unbudgeted
losses without insurance, premium expenditure can be better targeted.)


5.11) Identification and prioritisation activities lead onto specific mitigation of Some in-part, de-facto and specific solutions/
top risks. These take the form of practical solutions and risk action plans         Action Plans. Can be articulated by some senior
implemented in specific response to the major risks to a common approach.           managers but are not formally documented or                      1                         2
                                                                                    are too general as in part of other process /
5.12) Opportunity risks are identified and treated (refer to Q5.3).                 regulatory driven activity
                                                                                    Nil                                                              0                         3
5.13) Scenario planning is used to analyse multiple-risks or high impact/low       Part. In finance.
likelihood, emerging, Shell-style "future world scenarios", opportunity, outlier
or 'black swan' risks. “Black swan” refers to any event that is rare, has an                                                                         0                         3
extreme impact, and is explainable and predictable - but only in hindsight.

                                                                                                                         10                  29
6. Reporting: There is a consistent reporting framework in place to facilitate reporting at the appropriate level. This will include subsequent
feedback and communication throughout the organisation of its outputs.
6.1) Routinely capture, analyze and report on incidents, near misses and      In-part and ad-hoc.
insurance claims to senior management or directors (e.g. H&S risk events).
The reporting activities are done immediately following their occurrence and                                                                         1                         2
not delayed until the next scheduled reporting date. Incident-reporting is
routine and genuine.
6.2) Any task where there is an unacceptable risk of personal injury or death Hazard management plans are in effect if only
is addressed by a hazard management plan.                                     formalised in-part.                                                    1                         2
6.3) There is a defined Risk "reporting-up" procedure and tools aligned            Nil
with the Group ERM reporting system.                                                                                                                 0                         3
6.4) There is a defined "reporting-down" procedure and tools to provide            Nil
risk management feedback/ reassurance to all relevant stakeholders (internal                                                                         0                         3
and external).
6.5) Integrated Enterprise-wide risk monitoring, measuring and                 Nil
reporting. The content, format and frequency of reports are appropriate to the
audience for which they are intended and can be evidenced by Audit to be                                                                             0                         3
aligned with the Risk Register (in at least a Manual Spreadsheet Format).
                                                                                                                         Status @ DDMMYY:               Potential
                                                                                                                         0 - Not at all, or not known   0 - no gap, up to ...
                                                                                  Benchmark Criteria Evidence of
                  Benchmark Criteria                                                Recommended Practices.
                                                                                                                         1 - Partially
                                                                                                                         2 - Largely
                                                                                                                                                        3 - criteria absent

                                                                                                                         3 - Fully

6.6) The BoD receives timely and sufficient information to fulfil their       and
1. Sponsorship and Positioning: The Board of Directors (BoD) Nil Senior Management collectively recognise its on-going responsibility to
manage risk governance, and risk across the organisation and also to
responsibilities for the management of demonstrates organisation mandate and commitment.
provide an external BoD annual review statement on risk management. UAE
Corporate Governance Report timed before any AGM by the BoD "shall
disclose in the report the scope of a Company's compliance with the internal
control system and the effectiveness of internal controls and risk management
framework ...changes that take place since the last review to the nature and
extent of major risks and the Company's ability to respond to changes of
operations and external environment ...the proc endure that the Company has
adopted to determine ., assess and manage major risks ...any additional
information to assist the understanding of operations of the Company's risk
management and internal control system" (UAE 518). Directors cannot fulfil
responsibilities for good governance unless they are made aware. A review                                         0                   3
report may contain:
• summary of enterprise risks
• summary of the existing gaps in the capabilities for managing risks
• summary of top and worst performing risks, as well as inter-dependent risks
or those controls on lower risks for which the controls are critical
• early warning system / environmental scan
• values at risk individually and consolidated
• significant findings and changes outside of management control
• summary of status of improvement activities
• status/ progress of improvement initiatives


                                                                                                                  2                    16
7. Monitoring: The organisation continuously monitors the risks facing it, improvement to the Risk Management process and its effectiveness.

7.1) The Risk Management function is responsible for co-ordinating and        The Risk Management Department/ Group is
monitoring risk performance, and continuous improvement (to principles,       headed by a new CRO and not staffed.
                                                                                                                                        1                         2
framework and process of managing risk).

7.2) There is an external annual review of the entire risk management         Part.
process (in addition to any specific external audits of H&S/ compliance with
appropriate Regulation Acts). Audit provides independent Assurance. As part
of the risk-based Annual Audit Program, Internal Audit performs an annual
internal review of the risk management group/function and process. External
audit independently tests the performance of most of your risk control                                                                  1                         2
systems. Audit provides an independent evaluation and perspective of
performance and can therefore help drive improvement. The fact that such
reviews occur also helps insurers and other stakeholders form a positive view
of risk management practice.
                                                                                                                               Status @ DDMMYY:               Potential
                                                                                                                               0 - Not at all, or not known   0 - no gap, up to ...
                                                                                      Benchmark Criteria Evidence of
                  Benchmark Criteria                                                    Recommended Practices.
                                                                                                                               1 - Partially
                                                                                                                               2 - Largely
                                                                                                                                                              3 - criteria absent

                                                                                                                               3 - Fully

1. Sponsorship and Positioning: The Board of Directors (BoD) Largely.
7.3) Compliance and Internal Audit provide objective external-to-business and Senior Management collectively recognise its on-going responsibility to
manage and governance, and demonstrates risk management to
assurance riskmonitor and report on the effectiveness oforganisation mandate and commitment.
governing and management bodies. Otherwise they remain independent of
business risk management. They: Develop a risk-based internal audit                                                            2                   1
programme; Audit the risk processes across the organisation; Receive and
provide assurance on the management of risk; and Report on the efficiency
and effectiveness of internal controls.
7.4) The Board and Audit Committee receive periodic or annual reports on        Internal Audit annual reports to Audit Comm.
the effectiveness of the risk management process. These report whether In
the past year, there is a satisfactory return on investment in risk management,
that it creates value and that the management of key risks is better this year
on last year. Continuous improvement of both effectiveness and efficiency of
risk management practice is fundamental to achieving best practice. As with                                                                   1                         2
other areas of business improvement, risk management efforts need to be
planned and measured using consistent metrics in order to evaluate year on
year progress.


7.5) There is a process in place for genuine business user feedback. To flag Nil
up any weaknesses and failures in the system for which corrective action                                                                      0                         3
needs to be taken.
7.6) There is an ‘early warning system’ to BoD and management for new,          Nil
emerging and escalating risks, above established thresholds                                                                                   0                         3
7.7) There is an integrated IT system or Technology is used to structure and Nil
aid the process of risk management. It is updated regularly and is used as the
primary tool to assess the status of risk management activities (business                                                                     0                         3
process management) and generate reports (business activity monitoring).


                                                                                                              5                  16
8. Culture & Embedding: People have the ability and tools to embed and sustain a Risk Management process embedded in culture and
practices.
8.1) Organisation Design. The right structures are in place. Risk               Part.
management resources are being used efficiently. Risk management,
compliance and governance nexus is formalised. Activities include forming
committees, teams, offices, and other organisational structures. Includes a
dedicated Risk Management function to provide advice and support to all
staff in managing risk. It shares good practice with all staff (e.g. reviews,                                                                 2                         1
intranet, forums). It makes risk transparent and inclusive. It taps effective
networks within the organisation to informally and formally exchange risk
management best or recommended practice (e.g. Risk Management Group,
forums, intranet etc.).
                                                                                                                                     Status @ DDMMYY:               Potential
                                                                                                                                     0 - Not at all, or not known   0 - no gap, up to ...
                                                                                           Benchmark Criteria Evidence of
                   Benchmark Criteria                                                        Recommended Practices.
                                                                                                                                     1 - Partially
                                                                                                                                     2 - Largely
                                                                                                                                                                    3 - criteria absent

                                                                                                                                     3 - Fully

                                                                                 and
1. Sponsorship and Positioning: The Board of Directors (BoD) Part. Senior Management collectively recognise its on-going responsibility to
8.2) Roles and responsibilities are well-defined. People understand what
their risk management responsibilities and are dynamic, iterative and
manage risk governance, and demonstrates organisation mandate and commitment.
responsive to change. Risk-smart philosophy is embedded into practices - "the
walk matches the talk". Being risk-smart is more than being risk-aware or                                           1                   2
safety-conscious, it is about the intelligent and consistent daily practice over
time and under pressure of balancing risk and return (reward, etc). Practices
are aligned to a common risk appetite.

8.3) Talent management. Needed risk skills and competencies are identified. Part.
There are enough people to do what needs to be done to manage risk
effectively. Staff focused on risk management are trained in the required skill
sets to help support effective execution e.g. Risk Champions, specialty risk                                                                        1                         2
staff. Risk management can be highly specialised.


8.4) Training and development. Risk management competency levels are                Nil.
defined and embedded into the competency model. Mechanisms are in place
to train and measure risk-related skills and knowledge. Staff development
strategy and supporting plans are in place. Recurring activities, corporate
philosophy, budgets and other factors are monitored to help maintain staff
competency which can erode with time, staff-turnover, etc. There are                                                                                0                         3
processes for: training needs analysis, training development program,
induction and orientation. When something goes wrong in relation to the risk
management process, appropriate re-training or re-fresher training is given.

8.5) Measurement and reward. Desired risk management behaviour is           Part for X
recognised and rewarded. The is linkage to individual performance measures,
incentives and the Company’s reward system. Risk management
responsibilities are written into position descriptions, key performance
indicators (KPI's) and formal delegations of authority to managers.                                                                                 1                         2
Performance indicators are determined and align with performance indicators
for the organisation. This supports business objectives and Risk Management
performance.
                                                                                                                  5                                                          10
9. Communication: The organisation actively consults and communicates its various risk management activities to all stakeholders.

9.1) All managers have a common language of terms and metrics as basis              Part. Some do in silos and for specialty areas
for communication what is acceptable and unacceptable risk to the                   e.g. project-risk, HSE-risk.
organization. E.g. definition of risk, in respect of safety, financial impacts of                                                                   1                         2
risk, risk appetite

9.2) Communication and consultation with external and internal                      Part
stakeholders takes place at every stage of the risk management process.
Those responsible for implementing risk management and stakeholders                                                                                 1                         2
understand the basis on which risk decisions are made and reasons why
particular actions are required.
                                                                                                                                       Status @ DDMMYY:               Potential
                                                                                                                                       0 - Not at all, or not known   0 - no gap, up to ...
                                                                                       Benchmark Criteria Evidence of
                   Benchmark Criteria                                                    Recommended Practices.
                                                                                                                                       1 - Partially
                                                                                                                                       2 - Largely
                                                                                                                                                                      3 - criteria absent

                                                                                                                                       3 - Fully

1. Sponsorship and Positioning: and Board of communication             and Senior Management collectively recognise its on-going responsibility to
9.3) There is a risk communication plan The calendarof Directors (BoD) Nil
manage risk governance, organisation communications e.g. intranet,
with existing internal and externaland demonstrates organisation mandate and commitment.                                    0                   3
annual report, town-halls.
9.4) A consultative team-approach is used.                                          Part e.g. HSE Committee.
                                                                                                                                                      0                         3
9.5) Communication and consultation on top residual risk (after mitigation) Part.
to senior management and all decision-makers and stakeholders is timely and
accurate. Communication is truthful, relevant, accurate, timely and
understandable to its audience. This is important because they make                                                                                   1                         2
judgments about risk based on their perceptions of risk which can vary.


9.6) Risk discussion is embedded in strategic planning, capital allocation, product development, project approval, etc
                                                                               Part
                                                                                                                                                      1                         2
                                                                                                                 4                                                             14
10. Working with Counterparties: The organisation has robust risk management practices in place when working with counterparties.

10.1) The organisation's customised approach, appetite and culture to               Partly. Lots of legal contracts and tenant
managing risk is clearly communicated to existing and potential                     selection process but the culture and approach
counterparties. Consideration is given to the need for a consistent and             to managing risk still to be defined and clearly
                                                                                                                                                      1                         2
common approach to managing risks which cut across the organisation and             communicated e.g. PMC.
counterparties.

10.2) The specific risks associated with joint working (e.g. JV's) are properly     Largely. Stronger with Suppliers and
identified and assessed by us. Focus is on interface exposures. Specific            Contractors and as legal or insurance risks.
consideration is given to the most appropriate management of risks                  Still being formalised and made consistent
associated with partnerships with other sectors. These take account of:             across all stakeholders e.g. little Risk
  ■      Counterparties culture and systems                                         Management accountability on PMC from X
  ■      Understanding the counterparties objectives                                until July 2010. Not on interface exposures.
  ■      Funding and accountability issues                                                                                                            2                         1
  ■      Counterparties risk management systems
  ■      Ensuring a link between successful risk management by contractors
and their level of reward
  ■      Clear reporting and monitoring arrangements


10.3) Potential counterparties are required to produce and submit details on        Part. Limited to what covered in a contract or a
how they manage risk before commitment.                                             tenant agreement e.g. X Regs.                                     1                         2

10.4) There is reliable and regular information to monitor the risk                 Part for PMC.
management performance of counterparties.                                                                                                             1                         2

                                                                                                                                                     5                         7
                                                                               71                                            TOTAL                   58                       155
              Benchmark Modules                    Current Status @ DDMMYY                   Current Gap
1. Sponsorship and Positioning                                          44%                                    56%
2. Managing the Risk Management Process                                 26%                                    74%
3. Risk Identification                                                  43%                                    57%
4. Risk Prioritisation                                                  13%                                    88%
5. Risk Treatment                                                       26%                                    74%
6. Reporting                                                            11%                                    89%
7. Monitoring                                                           24%                                    76%
8. Risk Awareness Culture                                               33%                                    67%
9. Communication                                                        22%                                    78%
10. Working with Counterparties                                         42%                                    58%
                                                                                         Overall Opportunity for
                                                       Overall Current State:
                                                                                            Improvement:
                                         Total                  27%                               73%

                                          Check                             28.35%                          71.65%




                                                                 27%




                                        73%




                     Overall Current State:       Overall Opportunity for Improvement:
1. Sponsorship and Positioning
Current State       Opportunity for Improvement
               44%                                56%




                                                        44%




                                                              Current State   Opportunity for Improvement




                  56%
2. Managing the Risk Management Process
Current State        Opportunity for Improvement
                26%                                74%

                                                         26%




                                                               Current State   Opportunity for Improvement




                         74%
3. Risk Identification
Current State          Opportunity for Improvement
                  43%                                57%




                                                           43%




                                                                 Current State   Opportunity for Improvement




                 57%
4. Risk Prioritisation
Current State          Opportunity for Improvement
                  13%                                88%

                                                           12%




                                                                 Current State   Opportunity for Improvement




                                     88%
5. Risk Treatment
Current State       Opportunity for Improvement
                26%                               74%

                                                        26%




                                                              Current State   Opportunity for Improvement




                        74%
6. Reporting
Current State         Opportunity for Improvement
                11%                                 89%

                                                          11%




                                                                Current State   Opportunity for Improvement




                                     89%
7. Monitoring
Current State         Opportunity for Improvement
                24%                                 76%

                                                          24%




                                                                Current State   Opportunity for Improvement




                            76%
8. Risk Awareness Culture
Current State       Opportunity for Improvement
               33%                                67%

                                                        33%




                                                              Current State   Opportunity for Improvement




                   67%
9. Communication
Current State      Opportunity for Improvement
               22%                               78%

                                                       22%




                                                             Current State   Opportunity for Improvement




                          78%
10. Working with Counterparties
Current State       Opportunity for Improvement
                42%                               58%




                                                        42%




                                                              Current State   Opportunity for Improvement




                 58%
            <NAME> Enterprise-wide (ERM) Risk Management & ISO 31000 - Benchmark Rating:
             "How do does <NAME> currently rate against recommended practice for ERM?"

1. Sponsorship and Positioning: Board & Senior Management collectively recognise its on-going
responsibility to manage risk governance, and demonstrates organisation mandate and commitment.
                                                                                                                                    44%

2. Managing the Risk Management Process: Managers ensure Risk Management is part of the planning and
performance management processes and roles and responsibilities are clearly defined.
                                                                                                                                    26%


3. Identification: Risks are identified systematically and consistently across the organisation.                                    43%

4. Prioritisation: Risks are prioritised in descending order of importance, to focus time and resource on the
critical risks first.
                                                                                                                                    13%


5. Treatment: Updated risk action plans mitigate the prioritised risks.                                                             26%

6. Reporting: There is a consistent reporting framework in place to facilitate reporting at the appropriate level.
Includes subsequent feedback and communication throughout the organisation of its outputs.
                                                                                                                                    11%

7. Monitoring: The organisation continuously monitors the risks facing it, improvements to the Risk
Management process and its effectiveness.
                                                                                                                                    24%

8. Culture & Embedding: People have the ability and tools to embed and sustain a Risk Management
process embedded in culture and practices.
                                                                                                                                    33%

9. Communication: The organisation actively consults and communicates its various risk management
activities to all stakeholders.
                                                                                                                                    22%

10. Working with Counterparties: The organisation has robust risk management practices in place when
working with counterparties and monitors them.
                                                                                                                                    42%


                                         BENCHMARK RATING AVERAGE                                                                   27%
                                                                                                              Rationale & Action:    Rating:   Score:
                              Inability to demonstrate adherence to recommended practice. Fundamental need to address this area.                <25%
                         Material gap between current practice and recommended practice. Substantial opportunity for improvement.              25-49%
                              Some ability to demonstrate adherence to recommended practice. Some opportunity for improvement.                 50-74%
                           Observed practice consistent with recommended practice. Limited need for further development. Monitor.               75%+

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:35
posted:11/26/2011
language:English
pages:24